NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Special Publication 800-171 Protecting Controlled Unclassified Information

in Nonfederal Information Systems and Organizations

Dr. Ron Ross Computer Security Division Information Technology Laboratory

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

First,somedefini.ons.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Informa.onthatlaw,regula.on,orgovernmentwidepolicyrequirestohavesafeguardingordissemina.ngcontrols,excludinginforma.onthatisclassifiedunderExecu.veOrder13526,ClassifiedNa.onalSecurityInforma.on,December29,2009,oranypredecessororsuccessororder,ortheAtomicEnergyActof1954,asamended.--Execu(veOrder13556

ControlledUnclassifiedInforma3on

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Controlled Unclassified Information

Supports federal missions and business functions…

…that affect the economic and national security interests of the United States.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Aninforma.onsystemusedoroperatedbyanexecu.veagency,byacontractorofanexecu.veagency,orbyanotherorganiza.ononbehalfofanexecu.veagency.--FederalInforma(onSecurityManagementAct(40U.S.C.,Sec.11331)

FederalInforma3onSystem

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Aninforma.onsystemthatdoesnotmeetthecriteriaforafederalinforma.onsystem.--NISTSpecialPublica(on800-171

NonfederalInforma3onSystem

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Anen.tythatowns,operates,ormaintainsanonfederalinforma.onsystem.--NISTSpecialPublica(on800-171

NonfederalOrganiza3on

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

NonfederalOrganiza.onsSomeExamples

§  Federal contractors. §  State, local, and tribal governments. §  Colleges and universities.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Theprotec.onofControlledUnclassifiedInforma.onwhileresidinginnonfederalinforma.onsystemsandorganiza.onsisofparamountimportancetofederalagenciesandcandirectlyimpacttheabilityofthefederalgovernmenttosuccessfullycarryoutitsdesignatedmissionsandbusinessopera.ons.--NISTSpecialPublica(on800-171

Anurgentneed…Ana3onalimpera3ve.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Execu.veOrder13556ControlledUnclassifiedInforma3on

November4,2010

The Order — §  Established a governmentwide Controlled Unclassified Information

(CUI) Program to standardize the way the Executive branch handles unclassified information that requires protection.

§  Designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program.

Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy may be designated as CUI.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

TheCUIRegistrywww.archives.gov/cui/registry/category-list.html

§  Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent.

§  Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls.

§  Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

TheBigPictureAthree-partplanfortheprotec3on

ofCUI

§  Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide.

§  NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations.

§  Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

NISTSpecialPublica.on800-171

Protec.ngControlledUnclassifiedInforma.oninNonfederalInforma.onSystemsand

Organiza.onsJune2015

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Purpose§  To provide federal agencies with recommended

requirements for protecting the confidentiality of CUI — §  When the CUI is resident in nonfederal information systems and

organizations. §  Where the CUI does not have specific safeguarding requirements

prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.

§  When the information systems where the CUI resides are not operated by organizations on behalf of the federal government.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Applicability

§  CUI requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components. §  The requirements are intended for use by federal agencies in

contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Individuals with — §  System development life cycle responsibilities.

§  Program managers, information owners, mission/business owners.

§  Acquisition or procurement responsibilities. §  Contracting officers, COTRs.

§  Information security or risk management responsibilities. §  Authorizing officials, CIOs, CISOs, system owners/security managers.

§  Security assessment and monitoring responsibilities. §  Auditors, system evaluators, assessors, independent verifiers and validators.

TargetAudiencePublicandPrivateSectors

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

Assump.on#1§  Statutory and regulatory requirements for the protection of CUI

are consistent, whether such information resides in federal information systems or nonfederal information systems.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Assump.on#2§  Safeguards implemented to protect CUI are consistent in both

federal and nonfederal information systems and organizations.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Assump.on#3§  The confidentiality impact value for CUI is no lower than

moderate in accordance with FIPS Publication 199.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

Nonfederal Organizations — §  Have information technology infrastructures in place.

§  Are not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI.

§  Have safeguarding measures in place to protect their information. §  May also be sufficient to satisfy the CUI requirements.

§  May not have the necessary organizational structure or resources to satisfy every CUI security requirement. §  Can implement alternative, but equally effective, security measures.

§  Can implement a variety of potential security solutions. §  Directly or through the use of managed services.

Addi.onalAssump.ons

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

BasicandderivedsecurityrequirementsareobtainedfromFIPS200andNISTSP800-53ini.ally—andthentailoredappropriatelytoeliminaterequirementsthatare:§  Uniquely federal (i.e., primarily the responsibility of the federal

government). §  Not directly related to protecting the confidentiality of CUI. §  Expected to be routinely satisfied by nonfederal organizations

without specification.

CUISecurityRequirements

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

§  Access Control. §  Audit and Accountability.

§  Awareness and Training. §  Configuration Management.

§  Identification and Authentication. §  Incident Response.

§  Maintenance. §  Media Protection.

§  Physical Protection. §  Personnel Security.

§  Risk Assessment. §  Security Assessment.

§  System and Communications Protection §  System and Information Integrity.

Obtained from FIPS 200 and NIST Special Publication 800-53.

SecurityRequirements14Families

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

StructureofSecurityRequirements

§  Security requirements have a well-defined structure that consists of the following components: §  Basic security requirements section. §  Derived security requirements section.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

SecurityRequirementConfigura?onManagementExample

BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura.onsandinventoriesof

organiza.onalinforma.onsystems(includinghardware,so[ware,firmware,anddocumenta.on)throughouttherespec.vesystemdevelopmentlifecycles.

3.4.2 Establishandenforcesecurityconfigura.onse]ngsforinforma.ontechnologyproductsemployedinorganiza.onalinforma.onsystems.

DerivedSecurityRequirements:3.4.3 Track,review,approve/disapprove,andauditchangestoinforma.on

systems.3.4.4 Analyzethesecurityimpactofchangespriortoimplementa.on.3.4.5 Define,document,approve,andenforcephysicalandlogicalaccess

restric.onsassociatedwithchangestotheinforma.onsystem.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

MappingTables.

TailoringCriteria.

Twonewappendices.

MappingCUIRequirementstoISO27001andSP800-53SecurityControls

Tailoringac?onsappliedtomoderatesecuritycontrolbaseline.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

TAILORING SYMBOL

TAILORINGCRITERIA

NCO NOTDIRECTLYRELATEDTOPROTECTINGTHE

CONFIDENTIALITYOFCUI.

FED UNIQUELYFEDERAL,PRIMARILYTHERESPONSIBILITYOFTHEFEDERALGOVERNMENT.

NFO EXPECTEDTOBEROUTINELYSATISFIEDBYNONFEDERALORGANIZATIONSWITHOUTSPECIFICATION.

CUI THECUIBASICORDERIVEDSECURITYREQUIREMENTISREFLECTEDINANDISTRACEABLETOTHESECURITYCONTROL,CONTROLENHANCEMENT,ORSPECIFICELEMENTSOFTHECONTROL/ENHANCEMENT.

AppendixE

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

NISTSP800-53

MODERATEBASELINESECURITYCONTROLS

AC-1 AccessControlPolicyandProcedures NFO AC-2 AccountManagement CUI AC-2(1) ACCOUNTMANAGEMENT|AUTOMATEDSYSTEMACCOUNTMANAGEMENT NCO AC-2(2) ACCOUNTMANAGEMENT|REMOVALOFTEMPORARY/EMERGENCYACCOUNTS NCO AC-2(3) ACCOUNTMANAGEMENT|DISABLEINACTIVEACCOUNTS NCO AC-2(4) ACCOUNTMANAGEMENT|AUTOMATEDAUDITACTIONS NCO AC-3 AccessEnforcement CUI AC-4 Informa(onFlowEnforcement CUI AC-5 Separa(onofDu(es CUI AC-6 LeastPrivilege CUI AC-6(1) LEASTPRIVILEGE|AUTHORIZEACCESSTOSECURITYFUNCTIONS CUI AC-6(2) LEASTPRIVILEGE|NON-PRIVILEGEDACCESSFORNONSECURITYFUNCTIONS CUI

AppendixE–ACFamily

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

NISTSP800-53

MODERATEBASELINESECURITYCONTROLS

CM-1 Configura(onManagementPolicyandProcedures NFO CM-2 BaselineConfigura(on CUI CM-2(1) BASELINECONFIGURATION|REVIEWSANDUPDATES NFO CM-2(3) BASELINECONFIGURATION|RETENTIONOFPREVIOUSCONFIGURATIONS NCO CM-2(7) BASELINECONFIGURATION|CONFIGURESYSTEMS,COMPONENTS,ORDEVICESFORHIGH-RISKAREAS NFO CM-3 Configura(onChangeControl CUI CM-3(2) CONFIGURATIONCHANGECONTROL|TEST/VALIDATE/DOCUMENTCHANGES NFO CM-4 SecurityImpactAnalysis CUI CM-5 AccessRestric(onsforChange CUI CM-6 Configura(onSecngs CUI CM-7 LeastFunc(onality CUI CM-7(1) LEASTFUNCTIONALITY|PERIODICREVIEW CUI

AppendixE–CMFamily

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

NISTSP800-53

MODERATEBASELINESECURITYCONTROLS

CA-1 SecurityAssessmentandAuthoriza(onPoliciesandProcedures NFO CA-2 SecurityAssessments CUI CA-2(1) SECURITYASSESSMENTS|INDEPENDENTASSESSORS NFO CA-3 SystemInterconnec(ons NFO CA-3(5) SYSTEMINTERCONNECTIONS|RESTRICTIONSONEXTERNALSYSTEMCONNECTIONS NFO CA-5 PlanofAc(onandMilestones CUI CA-6 SecurityAuthoriza(on FED CA-7 Con(nuousMonitoring CUI CA-7(1) CONTINUOUSMONITORING|INDEPENDENTASSESSMENT NFO CA-9 InternalSystemConnec(ons NFO

AppendixE–CAFamily

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

Theroadahead.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

IntheInterim…

UsingNISTSpecialPublica?on800-171onavoluntarybasis

§  Until the formal process of establishing a single FAR clause takes place, the CUI security requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

ContactInforma.on100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

NIST NARA/ISOO Dr. Ron Ross Dr. Pat Viscuso (301) 975-5390 (202) 357-5313

ron.ross@nist.gov patrick.viscuso@nara.gov

NIST NARA/ISOO Kelley Dempsey Mark Riddle (301) 975-2827 (202) 357-6864 kelley.dempsey@nist.gov mark.riddle@nara.gov

Comments: sec-cert@nist.gov Web: csrc.nist.gov